After long time of automation testing on rspec, recently I have started doing development. The initial task itself an interesting task – Paypal Payflow setup as a payment gateway for my rails application. Even though it took me three days to complete it :), I finally I did it and this gave me feeling that I learnt something new.

Let’s see how we can setup Payflow payment gateway for a rails application. It is a four step process:

Setup test payflow account with paypal.

Add Paypal API credentials in your application.

Fetch secure token before making payment.

Redirect to paypal hosted pages for payment and handling the callback.

Setup test payflow account with Paypal

This is pretty straight forward and here is a good article which explains with screen shots how can we setup for test payflow merchant account.

Add Paypal API credentials in your application

The login credentials can be used as API credentials to call Paypal API. Save the credentials on config/initializers/paypal.rb.

Fetch secure token before making payment

This is the most important step. Using a secure token we can make secure transaction with paypal server. This token is valid only for five minutes. After five minutes you can’t complete the transaction. In my application I have used ‘curb’ (a curl ruby wrapper) to generate HTTP post request. You can alternatively use http/net or HttParty or Faraday.

I am generating a secure token for an order and for a particular amount. Below is the explanation for the parameters:

TNXTYPE: Transaction Type. ‘A’ – Authorization request will be used to generate secure token.(mandatory)TENDER : Method of payment. ‘C’ stands for it’s credit card payment.(mandatory)AMT : Transaction Amount(mandatory)ORDERID: For which order you are doing transaction.CURRENCY: Currency of the transaction(here it is USD)CREATESECURETOKEN: Boolean value whether paypal should needs to create secure token or not.SECURETOKENID: Before generating secure token we need to generate secure token ID. Both secure token ID and secure token will make a unique transaction. It should be ’18’ characters.PARTNER: it is always ‘paypal’VENDOR : Paypal loginUSER: paypal loginPWD: Paypal password.

As we are using paypal hosted pages for doing payment, it redirects to paypal website where the can actually do payment. You can customize hosted pages by logging on to your paypal account. You can even set the success and failure redirect URLs in the hosted pages configuration.

This process ensures that there is never any sensitive credit card or payment information being sent to our server, hence we have auto-compliance for the website and don’t require any PCI compliance or even an SSL certificate!

I hope after reading this article no one will spend that much time that I have spent on this to integrate. Suggestions would be welcome.

Just a warning to anybody reading this: you may not need an SSL cert in this case to meet PCI regulations, but you should always use HTTPS/SSL to serve the payment page to help prevent a man-in-the-middle attack where a malicious hacker could insert malicious code into the page that tracks key strokes in the form or tries to modify the form target url to send credit card data to his site for harvesting.